The AWS Nitro System is the underlying platform for our next generation of EC2 instances that enables AWS to innovate faster, further reduce cost for our customers, and deliver added benefits like increased security and new instance types.
AWS has completely re-imagined our virtualization infrastructure. Traditionally, hypervisors protect the physical hardware and bios, virtualize the CPU, storage, networking, and provide a rich set of management capabilities. With the Nitro System, we are able to break apart those functions, offload them to dedicated hardware and software, and reduce costs by delivering practically all of the resources of a server to your instances.
Coming Soon in 2022: NitroTPM, a security and compatibility feature that makes it easier for customers to use applications and operating system capabilities that depend on trusted platform modules (TPMs) in their EC2 instances.
The Nitro System is a rich collection of building blocks that can be assembled in many different ways, giving us the flexibility to design and rapidly deliver EC2 instance types with an ever-broadening selection of compute, storage, memory, and networking options. This innovation also leads to bare metal instances where customers can bring their own hypervisor or have no hypervisor.
The Nitro System provides enhanced security that continuously monitors, protects, and verifies the instance hardware and firmware. Virtualization resources are offloaded to dedicated hardware and software minimizing the attack surface. Finally, Nitro System's security model is locked down and prohibits administrative access, eliminating the possibility of human error and tampering.
Better performance and price
The Nitro System delivers practically all of the compute and memory resources of the host hardware to your instances resulting in better overall performance. Additionally, dedicated Nitro Cards enable high speed networking, high speed EBS, and I/O acceleration. Not having to hold back resources for management software means more savings that can be passed on to the customer.
Support for previous generation instances
AWS Nitro System supports previous generation EC2 instances to extend the length of service beyond the typical lifetime of underlying hardware. The AWS Nitro System provides modern hardware and software components for EC2 instances, allowing customers to continue running their workloads on the instance families they were built on.
The Nitro Cards are a family of cards that offloads and accelerates IO for functions, ultimately increasing overall system performance. Key cards include Nitro Card for VPC, Nitro Card for EBS, Nitro Card for Instance Storage, Nitro Card Controller, and Nitro Security Chip.
Nitro Security Chip
The Nitro Security Chip enables the most secure cloud platform with a minimized attack surface as virtualization and security functions are offloaded to dedicated hardware and software. Additionally, a locked down security model prohibits all administrative access, including those of Amazon employees, eliminating the possibility of human error and tampering.
The Nitro Hypervisor is a lightweight hypervisor that manages memory and CPU allocation and delivers performance that is indistinguishable from bare metal.
AWS Nitro Enclaves
AWS Nitro Enclaves enables customers to create isolated compute environments to further protect and securely process highly sensitive data such as personally identifiable information (PII), healthcare, financial, and intellectual property data within their Amazon EC2 instances. Nitro Enclaves uses the same Nitro Hypervisor technology that provides CPU and memory isolation for EC2 instances.
NitroTPM (Coming soon in 2022)
NitroTPM, a Trusted Platform Module (TPM) 2.0, is a security and compatibility feature that makes it easier for customers to use applications and operating system capabilities that depend on TPMs in their EC2 instances. It conforms to the TPM 2.0 specification, which makes it easy to migrate existing on-premises workloads that use TPM functionalities to EC2. NitroTPM provides a secure cryptographic offload using the AWS Nitro System, and allows EC2 instances to generate, store, and use keys without having access to the same keys. NitroTPM can also provide a cryptographic proof of your instances' integrity via TPM attestation mechanisms.
- Video - re:Inforce - Security Benefits of EC2 Nitro Architecture (Launch Pad)
- Video - re:Inforce - Security Benefits of EC2 Nitro Architecture (Presentation)
- Video - re:Invent - Nitro Deep Dive (Presentation)
- Video - re:invent - Evolution of Nitro System (Presentation)
- Jeff Barr Blog
- Perspectives - AWS Nitro System - James Hamilton